The residual risk is the risk
that remains after the control measures have been taking into account.
If there are no control
measures in place the Residual Risk will be the same as the Inherent Risk.
The more control measures that
are in place the higher the impact on the residual risk that remains. There
might be a High Inherent Risk but because of the control measures the Residual
risk is Medium.
The Residual risk is the one
that an organisation can control by adding control measures. The Residual Risk
should always be at an acceptable level for an organisation. If it is to high
more control measures should be added.